Security Experts:

Security Budgets Are Up - But Are We Spending Wisely?

In plain terms, 2014 sucked for information security. Mega-breaches at retailers, insider theft at banks, and human error at universities and hospitals. The sliver lining may be the fact that senior managers are finally realizing their organizations have to do a better job of securing their networks, users, and data.

Numerous studies over the past few months have shown that organizations are talking about security. Board directors want to know what is being done and senior executives are working with security managers to launch security initiatives. Many organizations are appointing their very first CISOs. In fact, several reports released this month paint a picture of executives increasingly being more aware and investing real budget dollars to improve their security defenses as a result.

A Ponemon Institute/Identity Finder report found that 55 percent of senior executives said they were extremely concerned about their organizations and the ability to withstand data breaches after the mega-breach at Target. The number was a mere 13 percent before the breach at Target, the survey found.

“Senior management gets a wake up call and realizes the need for a stronger cyber defense posture,” according to the report.

Executives are investing, or plan to invest, in security this year. Piper Jaffray's fourth annual CIO survey found that 75 percent of CIOs were expecting to increase their security spending in 2015, Scott Gainey, vice-president of products and marketing at Palo Alto Networks, wrote in a recent SecurityWeek column. Even though IT budgets generally don't increase by more than 2 percent each year, Morgan Stanley estimated information security budgets would increase by 8.4 percent.

The fact that information security will be getting a larger piece of the IT budget this year actually makes the findings of Trustwave's “Security on the Shelf” report even more worrisome. A survey conducted by Osterman Research on the behalf of Trustwave found that many companies had already-paid-for software lying around unused, or had some protective features that weren't being utilized. In the average organization, "only" 4.8 percent of security-related software was not being used at all, and 23.5 percent was working, but could be better, the report found. One company claimed 60 percent of its security software was shelfware.

In an earlier conversation about CISO wish lists, Rick Howard, CSO of Palo Alto Networks, noted that many security initiatives go awry because the tools aren't set up correctly. "We spend gazillions of dollars to buy the latest and greatest, and yet fail to squeeze as much efficiency out of it as possible," Howard said.

Examples of underutilized technologies include firewalls that are installed but not configured with the up-to-date settings, database monitoring tools and SIEM platforms logging alerts no one has time to look at, and data leak prevention software with no rules defining what data to block, Trustwave said. Compare this finding to the Identity Finder/Ponemon Institute report, which found that organizations were funneling most of their funding towards SIEM, intrusion detection, and endpoint security tools.

All that new spending, and the chances of the technology not being used at all is unnervingly high. The studies suggest that despite increased spending, organizations aren't necessarily getting more security than previous years.

"Many of us fall a bit short on that last hurdle," Howard said, noting the actual detailed configuration of the device is left to later because there are other things that need to be done right away. "The problem is that later hardly ever comes."

It's important to remember that shelfware isn't just a security problem, as almost all businesses have shelfware that is never used. A little less than 40 percent said about a fifth of more of their enterprise software spending is wasted on shelfware, according to joint research by Flexera Software and IDC late last year.

"It’s very easy for shelfware to accumulate when organizations don’t proactively implement best practices and technology to track, manage and optimize their software estates," Amy Konary, a research vice-president for software licensing and provisioning at IDC, said at the time of the report's release.

"I would like to have all of the security controls that I have installed in the past couple of years to be configured to run the way that I thought they would be configured when I purchased them in the first place," Howard said.

The reasons behind shelfware all boiled down to IT resources and time, the Trustwave report found.

One way to address the shelfware problem is to consider cloud services and managed services providers, as that would give organizations access to needed security expertise while reducing time and resource constraints on internal IT teams. Organizations in the survey said they 19 percent of its security infrastructure was cloud based or managed services in 2014, and expect that figure to change to 28 percent in 2015.

“The economics are simply too attractive to pass up,” Gainey said in his column. Even with increased concerns about the security of data in public clouds and how damaging a cloud-based breach can be, organizations are not going to shy away from the cloud, he said.

Can we just make sure that organizations invest in—and properly use—the technologies they are investing in?

Related: CISOs in the Dark on State of Security Readiness: Cisco

RelatedRequest an Invite to the 2015 SecurityWeek CISO Forum

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.